* Re: How to start external script when ipfilter rule matches
[not found] <20040806042631.5824.39404.Mailman@vishnu.netfilter.org>
@ 2004-08-06 19:33 ` Samuel Jean
2004-08-06 22:17 ` nadim
2004-08-14 11:09 ` Sören Lorenz
0 siblings, 2 replies; 8+ messages in thread
From: Samuel Jean @ 2004-08-06 19:33 UTC (permalink / raw)
To: netfilter; +Cc: soeren.lorenz
> Date: Thu, 05 Aug 2004 22:39:51 +0200
> From: Sören Lorenz <soeren.lorenz@web.de>
>
> I'd like to start Squid when packets arrive on port 3128 on my router.
That's not netfilter/iptables job. inetd better suits to your needs.
I don't know much about Squid, but I guess it supports inetd.
> When the router disconnects from my ISP, Squid is shutdown again.
If that isn't a question, goto CONTINUE
As you seem to be using PPP connection, I'd consider using
/etc/ppp/ip-down bash script which is launched after successfull
disconnection process.
:CONTINUE
> Ideally the packets would be kept on hold until Squid is running and
> then delivered to the daemon. Another question is to shutdown squid
> after a certain time of inactivity on port 3128. Is there a way to
> achive this with ipfilter?
Again, not iptables/netfilter. Inetd can.
>
> Thanks in advance.
>
> Regards,
>
> Sören Lorenz
Hope this helps.
--
Samuel Jean
SysAdmin & NetAdmin
at cookinglinux.org
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: How to start external script when ipfilter rule matches
2004-08-06 19:33 ` How to start external script when ipfilter rule matches Samuel Jean
@ 2004-08-06 22:17 ` nadim
2004-08-06 22:41 ` Michael Gale
2004-08-14 11:09 ` Sören Lorenz
1 sibling, 1 reply; 8+ messages in thread
From: nadim @ 2004-08-06 22:17 UTC (permalink / raw)
To: netfilter
I'm a complete noob so I am certainly wrong. I posted a question a few days
ago about IPQ (that no one bothered to answer :-( ).
Isn't ipq what Sören is trying to come to?
here is a link to what can be done friom perl:
http://michael.toren.net/slides/ipqueue/
Am I getting all wrong?
Cheersn, Nadim.
On Friday 06 August 2004 21:33, Samuel Jean wrote:
> > Date: Thu, 05 Aug 2004 22:39:51 +0200
> > From: Sören Lorenz <soeren.lorenz@web.de>
> >
> > I'd like to start Squid when packets arrive on port 3128 on my router.
>
> That's not netfilter/iptables job. inetd better suits to your needs.
> I don't know much about Squid, but I guess it supports inetd.
>
> > When the router disconnects from my ISP, Squid is shutdown again.
>
> If that isn't a question, goto CONTINUE
>
> As you seem to be using PPP connection, I'd consider using
> /etc/ppp/ip-down bash script which is launched after successfull
> disconnection process.
>
> :CONTINUE
> :
> > Ideally the packets would be kept on hold until Squid is running and
> > then delivered to the daemon. Another question is to shutdown squid
> > after a certain time of inactivity on port 3128. Is there a way to
> > achive this with ipfilter?
>
> Again, not iptables/netfilter. Inetd can.
>
> > Thanks in advance.
> >
> > Regards,
> >
> > Sören Lorenz
>
> Hope this helps.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: How to start external script when ipfilter rule matches
2004-08-06 19:33 ` How to start external script when ipfilter rule matches Samuel Jean
2004-08-06 22:17 ` nadim
@ 2004-08-14 11:09 ` Sören Lorenz
2004-08-14 11:20 ` Antony Stone
1 sibling, 1 reply; 8+ messages in thread
From: Sören Lorenz @ 2004-08-14 11:09 UTC (permalink / raw)
To: netfilter
Samuel Jean schrieb:
>That's not netfilter/iptables job. inetd better suits to your needs.
>I don't know much about Squid, but I guess it supports inetd.
>
>
>
No, it doesn't. It needs to bind the port directly, no way to run it via
inetd.
>>When the router disconnects from my ISP, Squid is shutdown again.
>>
>>
>Again, not iptables/netfilter. Inetd can.
>
>
Come on, there must be a way to trigger userspace actions on netfilter
matches. Some people do realtime blacklisting on portscanning IPs. I'm
looking for a lightweight (router suitable) way to do this. Solutions
depending on Perl are not an option.
Regards,
Sören Lorenz
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: How to start external script when ipfilter rule matches
2004-08-14 11:09 ` Sören Lorenz
@ 2004-08-14 11:20 ` Antony Stone
2004-08-19 9:40 ` Sören Lorenz
0 siblings, 1 reply; 8+ messages in thread
From: Antony Stone @ 2004-08-14 11:20 UTC (permalink / raw)
To: netfilter
On Saturday 14 August 2004 12:09 pm, Sören Lorenz wrote:
> Samuel Jean schrieb:
> >That's not netfilter/iptables job. inetd better suits to your needs.
> >I don't know much about Squid, but I guess it supports inetd.
>
> No, it doesn't. It needs to bind the port directly, no way to run it via
> inetd.
Indeed! The idea of spawning Squid from inetd is horrible :(
> >>When the router disconnects from my ISP, Squid is shutdown again.
> >
> >Again, not iptables/netfilter. Inetd can.
>
> Come on, there must be a way to trigger userspace actions on netfilter
> matches. Some people do realtime blacklisting on portscanning IPs. I'm
> looking for a lightweight (router suitable) way to do this. Solutions
> depending on Perl are not an option.
Try investigating the ULOG target perhaps?
Antony.
--
"Reports that say that something hasn't happened are always interesting to me,
because as we know, there are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say we know there are some
things we do not know. But there are also unknown unknowns - the ones we
don't know we don't know."
- Donald Rumsfeld, US Secretary of Defence
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: How to start external script when ipfilter rule matches
2004-08-14 11:20 ` Antony Stone
@ 2004-08-19 9:40 ` Sören Lorenz
0 siblings, 0 replies; 8+ messages in thread
From: Sören Lorenz @ 2004-08-19 9:40 UTC (permalink / raw)
To: netfilter
Yes, that's the way to go. But I need a lightweight userspace program
to trigger the actions I want to execute based on specific log events.
I've only come across perl solutions for this which is not suitable for
a router.
Regards,
Sören Lorenz
Antony Stone schrieb:
>
>Try investigating the ULOG target perhaps?
>
>Antony.
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* How to start external script when ipfilter rule matches
@ 2004-08-05 20:39 Sören Lorenz
0 siblings, 0 replies; 8+ messages in thread
From: Sören Lorenz @ 2004-08-05 20:39 UTC (permalink / raw)
To: netfilter
I'd like to start Squid when packets arrive on port 3128 on my router.
When the router disconnects from my ISP, Squid is shutdown again.
Ideally the packets would be kept on hold until Squid is running and
then delivered to the daemon. Another question is to shutdown squid
after a certain time of inactivity on port 3128. Is there a way to
achive this with ipfilter?
Thanks in advance.
Regards,
Sören Lorenz
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2004-08-19 9:40 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20040806042631.5824.39404.Mailman@vishnu.netfilter.org>
2004-08-06 19:33 ` How to start external script when ipfilter rule matches Samuel Jean
2004-08-06 22:17 ` nadim
2004-08-06 22:41 ` Michael Gale
2004-08-07 8:28 ` nadim
2004-08-14 11:09 ` Sören Lorenz
2004-08-14 11:20 ` Antony Stone
2004-08-19 9:40 ` Sören Lorenz
2004-08-05 20:39 Sören Lorenz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.